Privacy Notice

Privacy Notice

How we use personal information relating to our pupils

Data Controller

Edith Cavell Primary School

Manton Lane

Bedford

MK41 7NH

This Privacy Notice is to let you know how we as an educational setting look after personal information about our pupils. This includes the information you provide us as well as information we hold about our pupils relating to their education. This notice explains the reasons why we hold personal information, how we use this information, who we share it with and how we keep it secure. This notice meets with the requirements of the General Data Protection Regulations (GDPR).

Please refer to the website copy of this Privacy Notice for the latest version as it will be updated from time to time to reflect any changes in our circumstances.

If you have any questions or queries or would like to discuss anything in this Privacy Notice, please contact: the Head teacher

How we collect pupil information

We obtain pupil information for the start of each academic year through our ‘new pupil’ registration forms. We also collect any changes to pupil information through update forms during the academic year as part of our data administration process to keep the information we hold as up-to-date as possible. We also collect information through secure file transfers which contain relevant information (e.g. name, date of birth, attendance details) about our new pupils from their previous schools.

We collect and hold pupil information that includes:

Personal information about the pupils that come to our school such as name, unique pupil number and address, date of birth

Characteristics such as home language, meal arrangements and eligibility, special educational needs

Information that is categorised as special data such as gender, ethnicity, religion and medical information

Contact information such as parental and other contact names and telephone numbers for use in cases of emergency

Safeguarding information such as court orders, professional involvement and contact with non-resident parents

In addition to the information we collect from parents/carers, we also record and hold the following information:

Attendance information such as sessions attended, number of absences and absence reasons

Assessment information recorded at various assessment capture points during the academic year as well as end of year attainment information such as Phonics outcomes and Key Stage 1 results

Behaviour information and where relevant, lunch time, fixed and permanent exclusions and any relevant alternative provision

Why we collect and use this information

We use the pupil data to:

support pupil learning

safeguard pupils in our care

record attendance

monitor and report on pupil attainment and progress

keep children safe whilst in our care

provide appropriate pastoral care

assess the quality of our services

comply with the law regarding data returns and sharing

provide any additional support

We use parent/carer contact information to:

email parent/carers for purpose of notification of school events, share pupil school work and various reports relating to the pupil’s life at the school

telephone parents/carers in cases of emergency or other matters relating to the safety of the child

The lawful basis on which we hold and use this information

We collect and use pupil information under the legal basis of public interest as an educational setting/school with the delegated task of educating and safeguarding the children in our care and under a legal obligation which necessitates our school making statutory data returns to the Department for Education (DfE) and the our Local Authority [as described in Article 6, GDPR).

The special categories of data have been collected through explicit consent from the data subject in support of the specific purposes for which the data is being used in the education and safeguarding of pupils in our care [Article 9, GDPR].

Whilst the majority of pupil information you provide to us is mandatory (for reasons described above), there may be some information which we ask you for which is not mandatory but provided on a voluntary basis.

In some cases, we will ask you for information on the legal basis of legitimate interest where the information is required to support an educational or safeguarding function (e.g. a parent/carer email address or mobile contact number so that we can contact the parent/carer in an emergency or reasons involving the safety of the child).

The data we collect relating to medical health information is necessary to protect the vital interests of the child so that we can ensure a child’s medical needs are properly addressed and catered for.

As a Parent/carer, you cannot decline a data collection but you have right to decline providing information for self-declared data items by selecting the ‘Refused’ option e.g. ethnicity.

There are certain personal data items (e.g. photographs) which we collect on the legal basis of legitimate interest. We will ask you for your explicit consent about how these data items can be used if the purpose extends beyond holding the data within our main management information system (e.g. photograph on our school’s website). As a parent/carer you can change your decision to grant or withdraw consent at any time.

If at any point in the future, we seek to use any previously collected information for another purpose or use the information in new software, we will ask for your explicit consent to do so.

Who we share pupil information with

We routinely share pupil information with:

the school that a pupil attends after leaving us

our local authority

the Department for Education (DfE)

We also provide certain pupil data with other parties that provide a service for our school:

School Nurse

Peripatetic music teacher

Luton Town Football Club

The majority of our pupil information is processed in our main Management Information System (MIS). However, our school also purchases third party software to help us provide additional functions and services. Certain data held on our main management information system is also shared with third party software providers for the following reasons:

Assessment software which uses the main pupil information such as name, class, date of birth and some contextual information to help us record attainment and track progress

Text messaging software which uses the contact names and telephone numbers used to notify parents/carers of certain events and important notices

Online payments system which uses our pupil names and classes to link to parent users for the purpose of enabling payments for meals etc.

Library system which uses pupil names and classes

We actively ensure that all of the third party software organisations we share data with comply with the General Data Protection Regulations through their Privacy Notices and Data Sharing Agreements that they share with us.

Why we share pupil information with external parties

We do not share information about our pupils with anyone without consent unless the legal basis for holding and sharing the data allow us to do so.

We share pupil data with the Department for Education (DfE) and the Local Authority on a statutory basis through data collections such as the school census under the following statutes:

The data shared with the DfE and the local Authority is for the purpose of:

determining school funding which is calculated based upon the numbers of children and their characteristics in our school

informing the monitoring of ‘short term’ education policy such as Pupil Progress measures

supporting the ‘longer term’ research and monitoring of educational policy

Most of the pupil data we share with the DfE is held within their National Pupil Database (NPD). Please refer to the last page of this Privacy Notice for more information about the NPD and their basis for sharing data with third parties.

How we keep personal data secure

We fully adhere to our Data Protection policies which outline our procedures and processes for accessing, handling and storing data safely in accordance with all the GDPR principles. These policies are regularly reviewed and ratified by our governors. The following processes ensure that we comply with data protection legislation in how we manage the protection of personal data:

Data held in a physical location within the school is held securely and only accessible by staff with appropriate authorisation

Access to data on systems is through individual passwords which are carefully managed and monitored

Any data that is removed from the school is minimised and encrypted

Older data is safely removed from computers and other devices

Data shared with the DfE and the Local Authority is shared through secure file transfer systems. Any data shared with other legitimate third parties where there is a legal basis for sharing will only be shared through secure methods.

Data shared with third party software suppliers is controlled by the school. We will only deal with suppliers who can demonstrate that they comply with the requirements of data protection legislation and not use personal data for any other purpose than the purpose for fulfilling the functions we have contracted with them (e.g. assessment).

We ensure all staff receive regular training on data protection

We also adhere to our Data Breach Procedures Policy in the event of a data breach. These procedures explain how our school responds to occurrences of known or reported data breaches. A copy of this policy is available on our school website at http://www.edithcavellprimary.co.uk

Requesting access to your personal data

Under data protection regulations, you as the parent/carer and pupils (from age 13, you have the following rights:

Right to be informed

Right to access to your child’s or your personal information

Right to have inaccurate personal data rectified, blocked, erased or destroyed in certain circumstances

Right to object to processing of personal data that is likely to cause, or is causing, damage or distress

Right to restrict processing for the purpose of direct marketing

Right to data portability

Right to object to decisions being taken by automated means

Right to claim compensation for damages caused by a breach of the Data Protection regulations

It should be noted that some of these rights will not apply in circumstances where allowing them would significantly reduce or prevent our ability to perform our duties as a school and safeguard the children in our care.

You do have the right to request access to personal information about you and/or your child that we hold. To request access to your personal information or to your child’s educational record, you can make a Subject Access Request (SAR). For further information about this contact the Head teacher.

Our school will follow procedures outlined in our Subject Access Request Policy available from our website http://www.edithcavellprimary.co.uk which follows the guidelines promoted by the data protection regulations.

Please note that whilst we aim to respond to requests within the required time period of one month, we may not be able to honour this time period if we receive requests just before or during school holidays. If the nature of the request is complex and/or the request falls within a holiday period, we will aim to reach a mutually agreed alternative time period.

How long we keep personal information

We hold pupil data for the period determined appropriate for the different types of data we hold.
We will keep information for the minimum period necessary in accordance with DfE’s data retention recommendations which take into account legal and safeguarding considerations linked to the types of data held. Our Data Retention Schedule can be found on our website at http://www.edithcavellprimary.co.uk.

All information is held securely and will be destroyed as appropriate under secure and confidential conditions.

Let us know of any changes to personal information and emergency contact information

As a matter of course, we will contact you at least once a year to ensure that all the personal information and emergency contact details we have for your child is accurate and up-to-date. We would encourage you very strongly to ensure that any changes to phone numbers in particular are notified to our school office as soon as possible.

Reporting concerns about our data protection processes

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance by contacting the head teacher . Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/

Keeping you informed through this Privacy Notice

We aim to keep you informed of any changes to our data collections and data protection obligations through this Privacy Notice – the latest copy will be available on our website at http://www.edithcavellprimary.co.uk

We incorporate information about the pupil data we hold and how we adhere to the GDPR principles for protecting this data in our e-Safety and ICT lessons so that our children are aware of what we do.

Department for Education (DfE)

The National Pupil Database (NPD)The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department.

It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

The Department has robust processes in place to ensure the confidentiality of our pupils’ data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

who is requesting the data

the purpose for which it is required

the level and sensitivity of data requested: and

the arrangements in place to store and handle the data

To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.